By Chester Wisniewski
Businesses today face many threats; but if those coming from outside are their main source of concern with a priority focus on ransomware, they too often forget to consider internal threats which can be just as devastating. In fact, they take less time to assess the adaptability of their internal security measures in case a cyberattacker manages to break through their defenses from the inside and recover sensitive data that is easily accessible to him.
So what are the means to put in place to detect these threats and respond to them effectively?
The sources of these insider threats are diverse and very often undetected or detectable. They can thus be the result of negligence or even malice. They can, for example, come from an implementation of relaxed security controls that do not apply to certain systems, or from a lack of logging and identification of these malicious activities. Although difficult to measure – since they are rarely the subject of dedicated reports – these internal attacks have already affected many companies.
Why do these Threats Appear?
Intentionally or not, insider threats are legion. For example, when an employee carelessly forgets a USB key containing copies of critical information on the train, he then neglects to comply with all the rules in force. This type of situation can be tragic for the company since there is therefore a risk of theft or public exposure of information that could lead to a violation of official regulations imposed by a governing body [usually GDPR, PCI and HIPPA] or by several regulatory bodies premises. The company must then be extremely transparent by disclosing to its employees – and more broadly to the general public – that it has been the victim of a data breach within the organization, and it must also be held accountable. of all actions associated with this data breach.
But it can also be actions triggered intentionally for a wide variety of reasons. An employee may, for example, realize that he has the possibility of carrying out a malicious action in his workplace because of relaxed controls or because he has high visibility. This type of situation can lead to the theft of confidential information belonging to the company. The employee then seizes this opportunity to harm the company with impunity.
Various Flaws and Patterns
Cybersecurity experts have identified three distinct insider threat motives which are revenge, greed, and inattention.
The first two reasons include, for example, intentional and accidental acts, and are more likely to occur following a dismissal or a resignation. However, these reasons vary according to the type of activity of the company. In the case of the defense sector, it can be corruption or espionage, unlike the ICT sector, where commercial data theft is more widespread. Employees in charge of selling products and solutions can thus save their customers’ contact details in files and programmers can steal the source code. Despite their media coverage, on the whole, cases of espionage or sabotage remain, fortunately, exceptions.
More generally, data leaks are often caused by insider threats, when sensitive information belonging to the company becomes “uncontained”, when it should be classified confidential according to the operational context. This information then becomes “public” and people whose position has nothing to do with it can consult it. Very often, when businesses are faced with such accidental data loss or leakage, it is the result of carelessness, inadvertence or clumsiness – such as the loss of mobile devices, USB storage media or public exposure of repositories stored in the cloud. The classic example of accidental data release comes from the use of the “To” and “CC” fields when sending an email to multiple external recipients, where personally identifiable information is exposed to all of these recipients; a situation that could have been avoided by using the “CCI” [blind copy] mode.
Finally, data destruction is also a typical action where the integrity and availability of data is taken away from the business. This has the effect of preventing him from accessing critical information, which can directly impact the operational capacity of the company. While this activity is mostly associated with ransomware operators, it can also be attributed to insider threats. It should be borne in mind that there are many reasons that could lead to such acts, but the main reason remains that the data is generally stored in a weak way, which allows too many people to access information that has nothing to do with the tasks entrusted to them. These people can steal sensitive data for revenge, but also destroy it or remove it from the company or even try to extort its return.
How Can We Best Respond to these Threats?
The implementation of a strategy to prevent these internal threats remains difficult to implement, since once the attack has been launched, anticipation and control are already outdated. It is therefore extremely important to set up preparation sessions aimed at determining the impact of these attacks. Thus, training employees in the correct use and understanding of internal company systems and processes can go a long way towards avoiding errors associated with accidental data leaks. In addition, it can be useful to turn to several solutions and tools such as file and document management systems to better manage the critical data that the organization has in its possession.
ZTNA limits access to only required tools/services/apps rather than everything on a company’s LAN. It is also possible to employ Data Leakage Prevention [DLP] tools, capable of preventing accidental data leaks – except in the case of intentional theft. XDR systems and firewalls can also be very useful as part of the disaster prevention and recovery plan because they allow DLP to be implemented and log access and data movement at the same time. Their actions facilitate forensic work, particularly in understanding failures and their consequences. Finally, the implementation of technical controls capable of regulating access to data and systems that contain sensitive information, as well as the monitoring of the results of these controls and the responses to violations of the security policy contribute to the detection of ‘a malicious attack in progress.
To protect their company and their employees from these internal threats, managers must imperatively limit access to the data to the persons concerned and ensure the implementation of strict controls on the most sensitive data, while providing them with the support they need. In essence, therefore, the right balance must be struck between people, process and technology, since any imbalance can favor the introduction of instability, as well as an easier increase and spread of risks – whether they either external or internal to the company.
The author is the Field CTO – Applied Research at Sophos.